File system operation and digital rights management (DRM)

ABSTRACT

File system interaction with digital rights management (DRM) is facilitated by enabling one or more file system components to be DRM-aware. These one or more file system components may be part of a computer operating system. An exemplary system implementation includes: one or more processors; and one or more media in operative communication therewith, the media storing one or more file system components that are configured to provide content having DRM controls to a requesting program in either a raw form or a decrypted form in dependence on whether the DRM controls comprise simple DRM content controls or complex DRM content controls. In another exemplary system implementation, the one or more file system components are configured to provide files with simple DRM content controls to requesting applications in a decrypted form and to provide files with complex DRM content controls to requesting applications in an unaltered form.

TECHNICAL FIELD

[0001] This disclosure relates in general to digital rights management(DRM) and in particular, by way of example but not limitation, toenabling a file system component to be DRM-aware and to be able tohandle at least some DRM-controlled content.

BACKGROUND

[0002] Computers are utilized in personal, professional, educational andother areas and fields to perform functions, provide services, and/orfacilitate access to content. Examples of such content include text,audio, images, audiovisual or multimedia material, executables, somecombination thereof, and other content. Creators of much of this contentoften rely on intellectual property protections such as copyright tosecure control and compensation for their works. However, rights holdersalso usually wish to supplement these legal protections with technicalprotections. This is especially true of content that is in a digitalform because digital content can be copied, sold, shared, transferred,viewed, otherwise used, etc. without undergoing any degradation.Consequently, there is no natural technical-based expiration or otherlimitation on digital content once it has been disseminated.

[0003] One technique for offering technical protections (i.e., control)over content is digital rights management (DRM). DRM can limit, forexample, a user's access to content. Such limitations may include, forinstance, limiting the number of times content may be experienced,limiting the number of transfers of content, limiting the amount of timecontent may be experienced, limiting allowable modifications to content,and so forth. DRM may be implemented in any of a myriad of manners;however, any of these myriad of manners are generally intended toprovide technical controls over content.

[0004] Computers typically employ application programs in order toprovide the aforementioned functions, services, and content access.These application programs facilitate content viewing, contentmodifying, and content experiencing in general. Traditionally, in orderfor DRM to be effective in controlling content use, the application thatis attempting to interact with DRM-controlled content must be DRM-awareand capable of enforcing DRM controls. This conventional approach to DRMmay be effective for new applications being developed today for aDRM-enabled world. Unfortunately, there are many legacy applicationsthat are already present on computers and that have no understanding ofor ability to interact with DRM-controlled content.

[0005] Accordingly, there is a need for schemes and/or techniques toenable legacy applications to interact with DRM-controlled content.

SUMMARY

[0006] File system interaction with digital rights management (DRM) isfacilitated by enabling one or more file system components to beDRM-aware. These one or more file system components may be, for example,part of a computer operating system. An exemplary system implementationfor file operations and DRM includes: one or more processors; and one ormore media in operative communication with the one or more processors,the one or more media storing one or more file system components thatare adapted to execute on the one or more processors and that areconfigured to provide content having DRM controls to a requestingprogram in either a raw form or a decrypted form in dependence onwhether the DRM controls comprise simple DRM content controls or complexDRM content controls.

[0007] Another exemplary system implementation for file systemoperations and DRM includes: one or more processors; and one or moremedia in operative communication with the one or more processors, theone or more media storing one or more file system components that areadapted to execute on the one or more processors and that are configuredto provide files with simple DRM content controls to requestingapplications in a decrypted form and to provide files with complex DRMcontent controls to requesting applications in an unaltered form.

[0008] An exemplary electronically-accessible media implementationincludes electronically-executable instructions that, when executed,direct an electronic apparatus to perform actions including: inspectingone or more DRM controls from a tag of DRM-controlled content;determining that the one or more DRM controls are simple DRM controls;and providing the DRM-controlled content in a decrypted form when theone or more DRM controls are determined to be simple DRM controls;wherein the actions of inspecting, determining, and providing areperformed, at least partly, by one or more file system components.

[0009] Other method, system, media, and arrangement implementations aredescribed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0010] The same numbers are used throughout the drawings to referencelike and/or corresponding aspects, features, and components.

[0011]FIG. 1 illustrates an exemplary general approach to file systemoperation and digital rights management (DRM).

[0012]FIG. 2 is a flow diagram that illustrates an exemplary generalmethod for file system operation with DRM.

[0013]FIG. 3 illustrates another exemplary general approach to filesystem operation and DRM.

[0014]FIG. 4 is a flow diagram that illustrates another exemplarygeneral method for file system operation with DRM.

[0015]FIG. 5 illustrates an exemplary computing operating environmentthat is capable of (wholly or partially) implementing at least oneapproach, method, and/or process as described herein.

[0016]FIG. 6 is a flow diagram that illustrates an exemplary specificprocess for enabling a file system component to be DRM-aware during filecreating/opening.

[0017]FIG. 7 is a flow diagram that illustrates an exemplary specificprocess for enabling a file system component to be DRM-aware during filecreating/saving.

[0018]FIG. 8 illustrates an exemplary general approach to client/serveroperating system (OS) interaction and DRM.

[0019]FIG. 9 is a flow diagram that illustrates an exemplary generalmethod for client/server OS interaction with DRM.

DETAILED DESCRIPTION

[0020]FIG. 1 illustrates an exemplary general approach 100 to filesystem operation and digital rights management (DRM). At least one filesystem component 102 is in communication with a program 104 and contentwith DRM control(s) 106. File system component 102, program 104, andcontent with DRM control(s) 106 may be functioning and/or existingwithin a single computer or distributed between or among multiplecomputers. An exemplary computer operating environment with an optionalremote computing device aspect is described below with particularreference to FIG. 5.

[0021] File system component 102 may be implemented as all or part of afile system of an operating system (OS). For example, it may be theentire file system of the OS or one or more device drivers thereof. Itmay also be realized as a middleware component. Program 104 may be anyapplication, code, software, middleware, etc. that attempts to accesscontent with DRM control(s) 106.

[0022] In a described implementation, content with DRM control(s) 106may be constrained by one or more DRM controls on the use of thecontent. As illustrated, a tag 108 indicates which DRM control orcontrols are applied to content 106. Tag 108 may be any sort of tag ortags that may be associated with content 106. Examples of tag 108include a file header, an alternate stream (such as an “NTFS” alternatestream), an application manifest, and so forth.

[0023] DRM controls are divided into simple DRM controls 110 and complexDRM controls 112. Simple or basic DRM controls 110 include those DRMcontrols that can be enforced by a file system such as file systemcomponent 102. Thus, simple DRM controls 110 include, for example, thosecontrols directed to read, write, and/or modify.

[0024] Complex or rich DRM controls 112 include those DRM controls thatcannot be enforced by a file system. Complex DRM controls 112 include,for example, no forwarding, no printing, allowing “X” reads, allowingplays for “Y” days, allowing reads without any modifications (e.g., thuspreventing “save as” functions), and so forth. Although eight differentDRM controls are all illustrated in tag 108, any number of these orother possible DRM controls may alternatively be indicated in tag 108.

[0025] In operation, program 104 requests access to content with DRMcontrol(s) 106. File system component 102 inspects tag 108 to see whichDRM control(s) are applicable to content 106. If tag 108 indicates thatonly one or more simple DRM controls 110 constrain the use of content106, then file system component 102 performs or causes to be performedDRM-related functions. For example, file system component 102 decrypts(e.g., directly decrypts or indirectly causes to be decrypted) contentwith DRM control(s) 106. Additional exemplary DRM-related functions aredescribed below. After decryption of the content of content with DRMcontrol(s) 106, the decrypted content is provided to program 104.

[0026] If, on the other hand, tag 108 indicates that one or more complexDRM controls 112 constrain the use of content 106, then file systemcomponent 102 provides content with DRM control(s) 106 to the requestingprogram 104 in a raw state with all DRM protections in force (e.g.,still encrypted, etc.).

[0027] Using approach 100 to file system operation and DRM enables anumber of possibilities. For example, legacy applications that are notDRM-aware may be given access to DRM-controlled content in at leastlimited situations. For instance, an anti-virus program may access andreview files having content with DRM control(s) 106 even when theanti-virus program cannot understand or does not wish to handle DRMcontrols on content. As another instance, DRM controls can be used withlegacy applications that have no innate understanding of DRMfunctionality to establish a group or groups that are permitted toaccess content with such legacy applications when the DRM control(s) onsuch content are simple DRM controls 110.

[0028]FIG. 2 is a flow diagram 200 that illustrates an exemplary generalmethod for file system operation with DRM. Flow diagram 200 includesthree (3) blocks 202, 204, and 206. Actions for these blocks 202, 204,and 206 may be performed, for example, by a file system component 102(of FIG. 1). At block 202, a tag of DRM-controlled content is inspected.For example, the file system component 102 may inspect a tag 108 ofcontent with DRM control(s) 106. At block 204, it is determined that DRMcontrol(s) as indicated in the tag of the DRM-controlled content aresimple. For example, it may be determined from the tag 108 of thecontent with DRM control(s) 106 that any DRM controls thereon are simpleDRM controls 110. At block 206, the content of the DRM-controlledcontent is provided to a requesting program in a decrypted form. Forexample, the content 106 is provided in a decrypted form to a program104.

[0029]FIG. 3 illustrates another exemplary general approach 300 to filesystem operation and DRM. As illustrated, approach 300 includes a usercomputer 302 and a license server 304. A user and/or a program of usercomputer 302 desires to access DRM-controlled content, and licenseserver 304 has the ability to facilitate the performance of DRMfunctions with reference to the desired DRM-controlled content.

[0030] In a described implementation, a non-DRM-aware application 104(A)and a DRM-aware application 104(B) access one or more files 306 throughfile system component 102. Files 306 include multiple files 306(1),306(2) . . . 306(n). File 306(1) comprises content that is associatedwith simple DRM content controls 110. File 306(2) comprises content thatis associated with complex DRM content controls 112. Simple DRM contentcontrols 110 and complex DRM content controls 112 may be indicatedrespectively for files 306(1) and 306(2) at, for example, a tag of thefile and/or the content thereof.

[0031] An application such as DRM-aware application 104(B) may beconsidered DRM-aware when it is capable of understanding and enforcingDRM controls of and on content and the files that include such content.Hence, in the abstract, DRM-aware application 104(B) is capable ofaccessing files 306(1) and 306(2) and interacting with a DRM client 308so as to facilitate use of both file 306(1) and file 306(2) to theextent permitted by simple DRM content controls 110 and complex DRMcontent controls 112, respectively. Non-DRM-aware application 104(A), onthe other hand, is not capable of interacting with DRM client 308 and isthus unable to access or use file 306(1) or file 306(2) absentintervention and aid by file system component 102.

[0032] In a described implementation, file system component 102 iscapable of understanding and enforcing DRM controls of and on contentand the files that include such content. Hence, file system component102 is capable of interacting with DRM client 308 so as to facilitateuse of certain files 306 that include DRM-controlled content. In thissense, file system component 102 is DRM-aware. For example, file systemcomponent 102 may have a manifest or other type of tag that delineatesto DRM client 308 what or which DRM-controlled content file systemcomponent 102 is permitted to access. However, file system component 102is authorized from a DRM perspective to directly handle those files 306that include simple DRM content controls 110.

[0033] Operation of file system component 102, along with certain otherillustrated elements of approach 300, is described in four (4)permutations in which each of non-DRM-aware application 104(A) andDRM-aware application 104(B) each attempt to access file 306(1) and file306(2). In a first of the four described permutations, non-DRM-awareapplication 104(A) attempts to access file 306(1) with simple DRMcontent controls 110. When file system component 102 receives a requestfor file 306(1), file system component 102 detects that file 306(1) isprotected with DRM content controls.

[0034] Specifically, file system component 102 detects that file 306(1)is protected with simple DRM content controls 110. Because the contentcontrols are simple DRM controls 110, file system component 102 acts onbehalf of non-DRM-aware application 104(A) by interacting with DRMclient 308. File system component 102 provides an identity or user toDRM client 308. This identity or user may be representative of the humanuser of user computer 302 and/or the requesting application. Thus, thisidentity may establish or define a user context for DRM.

[0035] DRM client 308 uses communication link 310 to contact licenseserver 304. Communication link 310 may be a wireless or wireline link, apublic or private network link, a local or wide are network link, somecombination thereof, and so forth. Furthermore, communication link 310may be established using one or more of application protocol(s), remoteprocedure calls (RPCs), simple object access protocol (SOAP) messages,and so forth. Additional examples of communications between twocomputers are described below with particular reference to FIG. 5.

[0036] Specifically, DRM client 308 contacts authorization providercomponent 312 via communication link 310. DRM client 308 forwards theidentity to authorization provider 312, which has access to licensingrights information 314. Authorization provider 312 utilizes theforwarded identity context to reference information related thereto thatis located in licensing rights information 314.

[0037] Authorization provider 312 informs DRM client 308 as to whatrights have been granted to the identity. If the identity has rights tothe DRM-controlled content of file 306(1), DRM client 308 uses theappropriate key in accordance with DRM protocols to decrypt the content.File system component 102 may then provide the decrypted content of file306(1) to non-DRM-aware application 104(A). Any DRM controls of simpleDRM content controls 110 for file 306(1) are enforceable by file systemcomponent 102 as non-DRM-aware application 104(A) uses file 306(1).

[0038] In a second of the four described permutations, non-DRM-awareapplication 104(A) attempts to access file 306(2) with complex DRRMcontent controls 112. When file system component 102 receives a requestfor file 306(2), file system component 102 detects that file 306(2) isprotected with DRM content controls. Specifically, file system component102 detects that file 306(2) is protected with complex DRM contentcontrols 112. Because the content controls are complex DRM controls 112,file system component 102 does not act on behalf of non-DRM-awareapplication 104(A).

[0039] In other words, file system component 102 does not interact withDRM client 308 if the requested file has complex DRM content controls112. Instead, file system component 102 provides file 306(2) tonon-DRM-aware application 104(A) in an unaltered form. Because file306(2) is encrypted in accordance with DRM protocols and non-DRM-awareapplication 104(A) is not able to handle files with DRM controls,non-DRM-aware application 104(A) is unable to access file 306(2) and theDRM-related protections for file 306(2) are enforced as intended.Alternatively, as described further below with particular reference toFIG. 6/Element 626, file system component 102 may only provide file306(2) to applications that are validated as being properly DRM-aware.

[0040] In a third of the four described permutations, DRM-awareapplication 104(B) attempts to access file 306(1) with simple DRMcontent controls 110. When file system component 102 receives a requestfor file 306(1), file system component 102 detects that file 306(1) isprotected with DRM content controls. Specifically, file system component102 detects that file 306(1) is protected with simple DRM contentcontrols 110. Because the content controls are simple DRM controls 110,file system component 102 acts on behalf of DRM-aware application 104(B)by interacting with DRM client 308.

[0041] As described above with respect to the first permutation, DRMclient 308 eventually decrypts the content of file 306(1) for filesystem component 102, assuming that the current/user identity contextfor DRM-aware application 104(B) as provided to DRM client 308 has theappropriate DRM-related access rights. File system component 102 maythen provide the decrypted content of file 306(1) to DRM-awareapplication 104(B). Any DRM controls of simple DRM content controls 110for file 306(1) are enforceable by file system component 102 asDRM-aware application 104(B) uses file 306(1).

[0042] In an alternative implementation, file system component 102 mayforward files with any DRM content controls 110 and/or 112 to DRM-awareapplication 104(B) in an unaltered form. This permits DRM-awareapplication 104(B) to access such files and enforce any DRM controlswithout direct intervention by file system component 102. File systemcomponent 102 may, in such cases, perform a check to determine whetheran application 104 is a DRM-aware application 104(B), either as a matterof course or in response to an assertion by an application 104 that itis DRM-aware. This check may be accomplished using, for example, digitalsignatures of applications, manifests of applications, and so forth.

[0043] In a fourth of the four described permutations, DRM-awareapplication 104(B) attempts to access file 306(2) with complex DRMcontent controls 112. When file system component 102 receives a requestfor file 306(2), file system component 102 detects that file 306(2) isprotected with DRM content controls. Specifically, file system component102 detects that file 306(2) is protected with complex DRM contentcontrols 112. Because the content controls are complex DRM controls 112,file system component 102 does not act on behalf of DRM-awareapplication 104(B).

[0044] In other words, file system component 102 does not interact withDRM client 308 if the requested file has complex DRM content controls112. Instead, file system component 102 provides file 306(2) toDRM-aware application 104(B) in an unaltered form. This provisioning maybe accomplished by giving a pointer, a handle, etc. for file 306(2) toDRM-aware application 104(B). Although file 306(2) is encrypted inaccordance with DRM protocols, DRM-aware application 104(B) is able tohandle files with DRM controls. Consequently, DRM-aware application104(B) interacts with DRM client 308 (without needing to make anyadditional calls to file system component 102).

[0045] This interaction may result in the verification of identity andany accompanying DRM rights, the validation of DRM-aware application104(B), the decryption of the content of file 306(2), and so forth, asdescribed above with respect to the first permutation. DRM-awareapplication 104(B) is thus provided with a decrypted version of theDRM-controlled content of file 306(2). The DRM-related protections forfile 306(2), as enumerated in complex DRM content controls 112, areenforced by the DRM provisions of DRM-aware application 104(B).

[0046] Hence, file system component 102 may provide access to files 306having content with simple DRM content controls 110 to any type ofapplication. Such simple DRM protections are enforced by file systemcomponent 102. For files 306 having content with complex DRM contentcontrols 112, file system component 102 provides these files torequesting applications in raw, unaltered form. Consequently, onlyappropriately DRM-aware applications 104(B) can access and otherwise usefiles 306 having content with complex DRM content controls 112.

[0047]FIG. 4 is a flow diagram 400 that illustrates another exemplarygeneral method for file system operation with DRM. Flow diagram 400includes seven (7) blocks 402-414. Actions for these blocks 402-414 maybe performed, for example, by a user computer 302 (of FIG. 3). At block402, an application requests a file. For example, a non-DRM-awareapplication 104(A) or a DRM-aware application 104(B) may request a file306 from a file system component 102.

[0048] At block 404, it is determined whether the requested file isprotected. For example, the file system component 102 may review thefile 306 to see if it is encrypted, such as when the file 306 isprotected with DRM. If the file is not protected, then the requestedfile is provided unaltered to the requesting application at block 406.For example, the file system component 102 may pass a handle to theunaltered file 306 to the requesting application 104(A,B). Regardless ofwhether the requesting application 104 is a non-DRM-aware application104(A) or a DRM-aware application 104(B), the requesting application104(A,B) may access the unaltered and unprotected file 306.

[0049] If, on the other hand, the requested file is determined to beprotected (at block 404), then it is determined whether the requestedfile is protected with simple DRM control(s) at block 408. For example,the file system component 102 may inspect a tag of file 306(1,2) todetermine whether it is protected with simple DRM content controls 110.If the requested file is not protected with simple DRM control(s), thenthe requested file is provided unaltered to the requesting applicationat block 406. In this case, if the requesting application 104(A,B) is anon-DRM-aware application 104(A), then the DRM-protected file 306(2)with complex DRM content controls 112 will not be accessed. If therequesting application 104(A,B) is- a DRM-aware application 104(B), thenthe DRM-protected file 306(2) may be accessed, depending on the resultof a DRM analysis effectuated by interaction between the DRM-awareapplication 104(B) and a DRM client 308.

[0050] If, on the other hand, the requested file is determined to beprotected with simple DRM control(s) (at block 408), then a license forthe DRM-controlled file verified at block 410. For example, the filesystem component 102 interacts with the DRM client 308 in order to havethe identity context verified with a license server 304 at least withregard to the requested file 306(1) with the simple DRM content controls110. At block 412, the DRM-controlled file is decrypted. For example,the DRM client 308 uses a key, which is acquired and/or authorizedthrough exchanges over a communication link 310 with an authorizationprovider 312, to decrypt the requested file 306(1).

[0051] At block 414, the requested file in a decrypted form is providedto the requesting application. For example, the file system component102 may pass a handle to the decrypted file 306(1) to the requestingapplication 104(A,B). Regardless of whether the requesting application104(A,B) is a non-DRM-aware application 104(A) or a DRM-awareapplication 104(B), the requesting application 104(A,B) may access thedecrypted file 306(1). The file system component 102 may enforce thesimple DRM content control(s) 110 of the decrypted file 306(1).

[0052]FIG. 5 illustrates an exemplary computing operating environment500 that is capable of (fully or partially) implementing at least oneapproach, method, and/or process for enabling file system operation withDRM as described herein. Computing environment 500 may be utilized inthe computer and network architectures described below.

[0053] Exemplary computing operating environment 500 is only one exampleof a computing environment and is not intended to suggest any limitationas to the scope of use or functionality of the applicable computer(including general electronic device) and network architectures. Neithershould computing environment 500 be interpreted as having any dependencyor requirement relating to any one or any combination of components asillustrated in FIG. 5.

[0054] Additionally, file system operation with DRM may be implementedwith numerous other general purpose or special purpose computing systemenvironments or configurations. Examples of well known computingsystems, environments, and/or configurations that may be suitable foruse include, but are not limited to, personal computers, servercomputers, thin clients, thick clients, personal digital assistants(PDAs) or mobile telephones, hand-held or laptop devices, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, video game machines, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and so forth.

[0055] Implementations with file system component(s) interacting withDRM functionality may be described in the general context ofelectronically-executable instructions. Generally,electronically-executable instructions include routines, programs,objects, components, data structures, etc. that perform particular tasksor implement particular abstract data types.

[0056] DRM-aware file system component(s), as described in certainimplementations herein, may also be practiced in distributed computingenvironments where tasks are performed by remotely-linked processingdevices that are connected through a communications network. Especiallyin a distributed computing environment, electronically-executableinstructions may be located in separate storage media, executed bydifferent processors, and/or propagated over transmission media. Forexample, file system commands may be called over a network and executedon a remote computing device that is not directly attached to a computerin which an application is running and attempting to accessDRM-protected content.

[0057] Computing environment 500 includes a general-purpose computingdevice in the form of a computer 502, which may comprise any electronicdevice with computing and/or processing capabilities. The components ofcomputer 502 may include, but are not limited to, one or more processorsor processing units 504, a system memory 506, and a system bus 508 thatcouples various system components including processor 504 to systemmemory 506.

[0058] System bus 508 represents one or more of any of several types ofbus structures, including a memory bus or memory controller, aperipheral bus, an accelerated graphics port, and a processor or localbus using any of a variety of bus architectures. By way of example, sucharchitectures may include an Industry Standard Architecture (ISA) bus, aMicro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, aVideo Electronics Standards Association (VESA) local bus, and aPeripheral Component Interconnects (PCI) bus also known as a Mezzaninebus.

[0059] Computer 502 typically includes a variety ofelectronically-accessible media. Such media may be any available mediathat is accessible by computer 502 or another electronic device, and itincludes both volatile and non-volatile media, removable andnon-removable media, and storage and transmission media.

[0060] System memory 506 includes electronically-accessible media in theform of volatile memory, such as random access memory (RAM) 510, and/ornon-volatile memory, such as read only memory (ROM) 512. A basicinput/output system (BIOS) 514, containing the basic routines that helpto transfer information between elements within computer 502, such asduring start-up, is stored in ROM 512. RAM 510 typically contains dataand/or program modules/instructions that are immediately accessible toand/or being presently operated on by processing unit 504.

[0061] Computer 502 may also include other removable/non-removableand/or volatile/non-volatile electronic storage media. By way ofexample, FIG. 5 illustrates a hard disk drive 516 for reading from andwriting to a (typically) non-removable, non-volatile magnetic media (notseparately shown); a magnetic disk drive 518 for reading from andwriting to a (typically) removable, non-volatile magnetic disk 520(e.g., a “floppy disk”); and an optical disk drive 522 for reading fromand/or writing to a (typically) removable, non-volatile optical disk 524such as a CD-ROM, DVD-ROM, or other optical media. Hard disk drive 516,magnetic disk drive 518, and optical disk drive 522 are each connectedto system bus 508 by one or more data media interfaces 526.Alternatively, hard disk drive 516, magnetic disk drive 518, and opticaldisk drive 522 may be connected to system bus 508 by one or more otherseparate or combined interfaces (not shown).

[0062] The disk drives and their associated electronically-accessiblemedia provide non-volatile storage of electronically-executableinstructions, such as data structures, program modules, and other datafor computer 502. Although exemplary computer 502 illustrates a harddisk 516, a removable magnetic disk 520, and a removable optical disk524, it is to be appreciated that other types ofelectronically-accessible media may store instructions that areaccessible by an electronic device, such as magnetic cassettes or othermagnetic storage devices, flash memory cards, CD-ROM, digital versatiledisks (DVD) or other optical storage, random access memories (RAM), readonly memories (ROM), electrically erasable programmable read-onlymemories (EEPROM), and so forth. In other words, anyelectronically-accessible media may be utilized to realize the storagemedia of the exemplary computing system and environment 500.

[0063] Any number of program modules (or other units or sets ofinstructions) may be stored on hard disk 516, magnetic disk 520, opticaldisk 524, ROM 512, and/or RAM 510, including by way of example, anoperating system 527, one or more application programs 528, otherprogram modules 530, and program data 532. By way of example only,operating system 527 may comprise file system component 102, applicationprograms 528 may comprise program and/or applications 104, and programdata 532 may comprise files 306 and/or the content 106 thereof. DRMclient 308 may also optionally comprise part of operating system 527. Ifso, DRM client 308 may exist as part of operating system 527 at the timeof original manufacture, or it may be subsequently installed on top ofoperating system 527, and so forth. Alternatively, DRM client 308 may bea middleware component of computer 502 and/or user computer 302 (of FIG.3).

[0064] A user may enter commands and information into computer 502 viainput devices such as a keyboard 534 and a pointing device 536 (e.g., a“mouse”). Other input devices 538 (not shown specifically) may include amicrophone, joystick, game pad, satellite dish, serial port, scanner,and/or the like. These and other input devices are connected toprocessing unit 504 via input/output interfaces 540 that are coupled tosystem bus 508. However, they may instead be connected by otherinterface and bus structures, such as a parallel port, a game port, auniversal serial bus (USB) port, an IEEE 1394 interface, an IEEE 802.11interface, and so forth.

[0065] A monitor 542 or other type of display device may also beconnected to system bus 508 via an interface, such as a video adapter544. In addition to monitor 542, other output peripheral devices mayinclude components such as speakers (not shown) and a printer 546, whichmay be connected to computer 502 via input/output interfaces 540.

[0066] Computer 502 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computingdevice 548. By way of example, remote computing device 548 may be apersonal computer, a portable computer (e.g., laptop computer, tabletcomputer, PDA, mobile station, etc.), a server, a router, a networkcomputer, a peer device, other common network node, or other computertype as listed above, and so forth. Remote computing device 548 isillustrated as a portable computer that may include many or all of theelements and features described herein relative to computer 502.

[0067] Logical connections between computer 502 and remote computer 548are depicted as a local area network (LAN) 550 and a general wide areanetwork (WAN) 552. Such networking environments are commonplace inoffices, enterprise-wide computer networks, intranets, the Internet,fixed and mobile telephone networks, other wireless networks, and soforth.

[0068] When implemented in a LAN networking environment, computer 502 isconnected to a local area network 550 via a network interface or adapter554. When implemented in a WAN networking environment, computer 502typically includes a modem 556 or other means for establishingcommunications over wide area network 552. Modem 556, which may beinternal or external to computer 502, may be connected to system bus 508via input/output interfaces 540 or any other appropriate mechanism(s).It is to be appreciated that the illustrated network connections areexemplary and that other means of establishing communication link(s)between computers 502 and 548 may be employed.

[0069] In a networked environment, such as that illustrated withcomputing environment 500, program modules or other instructions thatare depicted relative to computer 502, or portions thereof, may be fullyor partially stored in a remote memory storage device. By way ofexample, remote application programs 558 reside on a memory device ofremote computer 548. Also, for purposes of illustration, applicationprograms 528 and other executable instructions such as operating system527 are illustrated herein as discrete blocks, but it is recognized thatsuch programs, components, and other instructions reside at varioustimes in different storage components of computing device 502 (and/orremote computing device 548) and are executed by data processor(s) 504of computer 502 (and/or those of remote computing device 548).

[0070] The methods and processes of FIGS. 2, 4, 6, 7, and 9 areillustrated in flow diagrams that are divided into multiple blocks.However, the order in which the methods and processes are described isnot intended to be construed as a limitation, and any number of thedescribed blocks can be combined in any order to implement one or moremethods or processes for file system operation and DRM. Furthermore,although the methods and processes are described herein with referenceto the various implementations or approaches of FIGS. 1, 3, and 8 (aswell as the exemplary system environment of FIG. 5) where applicable,the methods and processes can be implemented in any suitable hardware,software, firmware, or combination thereof and using any suitablenetwork architectures, file system configurations, DRM technologies, andso forth.

[0071]FIG. 6 is a flow diagram 600 that illustrates an exemplaryspecific process for enabling a file system component 102 to beDRM-aware during file creating/opening. The exemplary specific processof flow diagram 600 is divided into a user mode portion 602 and a kernelmode portion 604. In user mode portion 602, an application #1 104(1) iscreating a file, such as a file 306 (of FIG. 3). Also, an application #2104(2) is opening a file, such as a file 306. These create file and openfile operations instigate interaction with a file system, such as one ormore file system components 102. The remainder of the process of flowdiagram 600 occurs within kernel mode portion 604.

[0072] In kernel mode portion 604 at block 606, a file system “NTFS”receives these operational requests. “NTFS” is an acronym for the NewTechnology File System of a Microsoft® Windows® operating system such asWindows XP. NTFS initiates a callout to “EFS” to determine whether thefile to be created or opened is to be protected or is already protected,respectively, at block 608. “EFS” is an acronym for Encrypting FileSystem, which is also present in certain Microsoft® Windows® operatingsystems such as Windows XP. Although the described implementation refersspecifically to NTFS and EFS, alternative operating systems and/oroperating system components may be employed for any of the describedmethods, approaches, and processes. For example, any file system with afile folder encryption component, driver, and/or functionality may beused.

[0073] NTFS may alternatively only initiate a callout to EFS (at block608) if NTFS cannot directly manipulate (e.g., open) the relevant file.However, in a described implementation at block 610, EFS determineswhether the file is protected. If the file is not protected, thencontrol is returned to NTFS (via EFS block 608) with no action beingtaken by EFS. If the file is protected (as determined at block 610), EFSexamines the file data at block 612 to determine the type of protection.If the protection is a standard encryption or other non-DRM protection,then EFS decrypts the file and the decrypted file is returned to NTFS(via EFS block 608).

[0074] If, on the other hand, the examination of the file data (at block612) indicates a DRM type protection, then it is determined at block 614whether the DRM protection is complex. If the DRM content controls arenot complex, then a callout to a DRM module or other functionality isinitiated at block 616. Because the DRM content controls are notcomplex, EFS and NTFS can enforce the DRM content controls. However, theDRM functionality still determines whether the user has access rights tothe file at block 618. The user is usually the human user, but it mayoptionally be the requesting application 104 from user mode portion 602.If the user does not have access rights, the event is logged in anapplication (or security) log for security purposes at block 620, andprocess 600 may terminate, optionally after returning some type of errorcode or status to the requesting application 104.

[0075] If, on the other hand, the user is determined to have accessrights (at block 618), then the user license is retrieved at block 622.In order to retrieve the user license and/or verify user access rights,group membership (or other authorization data) may be checked at block624 (as indicated by connection “A”). After the user license isretrieved (at block 622), the content of the file is decrypted. Aftercontent decryption and file opening, process 600 may terminate.

[0076] Returning to block 614, if the DRM content controls aredetermined to be complex, then the requesting application 104 isvalidated from a DRM perspective at block 626. In other words, whetherthe requesting application 104 is a trusted DRM application that hasbeen appropriately signed is validated. The requesting application 104may be validated as a trusted DRM application, for example, by referringto its manifest, which lists and/or defines the binaries associated withan application and is frequently digitally signed.

[0077] Although block 626 is an optional block, performing theseaction(s) at the file system level may limit or even prevent some bruteforce attacks on the DRM functionality. If the validation fails, thenEFS/NTFS denies to the calling application 104 access to the file. Ifthe validation succeeds, the content (unaltered) is returned to thecalling application 104. Hence, the validated and DRM-aware callingapplication 104 may interact with the DRM functionality and enforce thecomplex DRM controls. Regardless of whether the requesting application104 is validated, process 600 may terminate thereafter.

[0078]FIG. 7 is a flow diagram 700 that illustrates an exemplaryspecific process for enabling a file system component 102 to beDRM-aware during file creating/saving. Generally, applications that arenot DRM-aware or that are not aware that particular content is or is tobe protected call the standard file system (e.g., NTFS in FIGS. 6 and 7)Application Programming Interfaces (APIs) to save the file, append tothe file, modify a block of the file content, and so forth. The filesystem performs a callout to an abstraction layer (e.g., an EFS module,part, driver, etc. in FIGS. 6 and 7) to examine the content anddetermine if it contains one or more tags that indicate that it is orshould be protected by the DRM functionality. If the content is taggedwith DRM attributes for DRM content controls, the abstraction layer actson behalf of the application to call the DRM client APIs to obtain alicense, encrypt the content, and so forth.

[0079] Specifically, the exemplary process of flow diagram 700 isdivided into user mode portion 602 and kernel mode portion 604. In usermode portion 602, application #1 104(1) is creating a file, andapplication #2 104(2) is saving/modifying a file, such as a file 306 (ofFIG. 3). Saving in the abstract can refer to creating and then writing afile, opening or reading an existing file and then writing changesthereto, and so forth. These create file and save file operationsinstigate interaction with a file system, such as one or more filesystem components 102. The remainder of the process of flow diagram 700occurs within kernel mode portion 604.

[0080] In kernel mode portion 604 at block 606, a file system componentNTFS receives these operational requests. NTFS initiates a callout toEFS to determine whether the file to be created or saved/modified is tobe protected or is already protected, respectively, at block 608. NTFSmay alternatively only initiate a callout to EFS (from block 606 toblock 608) if NTFS knows that the relevant file is to be encrypted inaccordance with some scheme, which may or may not be related to DRM.

[0081] Regardless, in this described implementation at block 702, EFSdetermines whether there is a DRM attribute for the file. If there is noDRM attribute associated with the file, then control is returned to EFS.One of at least two options may occur at EFS (at block 608). First, ifother (non-DRM) encryption protection is appropriate, EFS may effectuatesuch encryption before returning control to NTFS. Second, if noencryption is appropriate, EFS returns control to NTFS without anyencryption action being taken by EFS. If, on the other hand, there is aDRM attribute associated with the file (as determined at block 702), acallout to a DRM client API( ) is performed to activate the DRMfunctionality at block 704.

[0082] At block 618′, the DRM client determines whether the current usercontext has access rights to the file, and, if so, whether such rightsinclude saving/modifying the DRM-controlled content. If the current usercontext does not include saving/modifying access rights, then theattempted manipulation of DRM-controlled content fails and the event islogged in an application (or security) log at block 620. Thereafter,control is returned to NTFS (at block 606). If, on the other hand, thecurrent user context does include saving/modifying access rights (asdetermined at block 618′), then a user license is retrieved at block622.

[0083] When a user license is successfully retrieved (at block 622), theDRM-controlled content is encrypted by the DRM client (of block 704).Also, the DRM-controlled content may be returned to the callingapplication via EFS (of block 608) and/or NTFS (of block 606). Althoughillustrated separately, NTFS and EFS may have no logical or actualdivision within a file system component or components.

[0084] File system operation with DRM may provide a number ofpossibilities. For example, as described in certain generalimplementations herein, a file system can abstract and provide a DRMfunctionality layer to applications that cannot provide DRM contentenforcement or are not aware of DRM client APIs on the platform. DRMclient subsystems rely on the application being trusted (e.g., digitallysigned with an appropriate code) and DRM-aware. By moving theabstraction layer lower (e.g., into the file system), EFS or anotherencrypting file system component may be considered to be a trustedDRM-aware application. For example, enabling the file system to beDRM-aware allows for an anti-virus program to scan and verify content asbeing virus-free when that content is DRM protected even if theanti-virus scanner is not DRM-aware.

[0085] A file system can also provide a group encryption model forfiles, applications, and users by combining a file system driver with aDRM client subsystem. Users that have applications that need basicsharing of encrypted content among user groups can obtain seamless groupsharing of content through DRM functionality such as a DRM client/serverlicensing architecture. The DRM client determines access andencrypts/decrypts content based on the license server permissions.Neither the upper-level file system, nor the application, nor the userneed be aware of the DRM capability of the lower-level file systembecause the capability inherently results from using EFS or anotherencrypting file system component as a DRM-enabled application.

[0086] A validation component of a file system may provide additionalperformance and security enhancements to a file system operation withDRM scheme. For example, when multiple DRM-aware applications arerunning under the same user context and accessing DRM-protected files,EFS or another encrypting file system component can enhance performanceby maintaining a user context cache to the DRM client for validatingusers and obtaining licenses for DRM-controlled content on behalf ofsuch users. In other words, after a DRM-aware application initiallyretrieves a license for DRM-controlled content, other DRM-awareapplications that are operating in the same or joint user context maybenefit from the cached validation and licensing retrieval.

[0087] An encrypting file system component such as EFS can also ensurethat even DRM-aware applications are validated prior to returningprotected content. Even if the content is protected with rich DRMcontrols, the EFS component may refuse to return any content, whetherstill encrypted or not, to an application that is not trusted asevidenced by the possession of a valid code signature in theapplication. This can limit or prevent an un-trusted application fromacquiring encrypted content and then performing brute force attacksthereon. This is also described further above with reference to block626 of FIG. 6.

[0088]FIG. 8 illustrates an exemplary general approach 800 toclient/server operating system (OS) interaction and DRM. A first usercomputer 302(1) having a client OS that is not DRM-aware 802(A) and asecond user computer 302(2) having a client OS that is DRM-aware 802(B)are illustrated. An administrative computer 804 having a server OS 806is also illustrated. In this described implementation, server OS 806 isDRM-aware. Although the computer having server OS 806 is illustrated asan administrative computer 804, it may alternatively be any generalserver computer.

[0089] Server OS 806 is communicating with non-DRM-aware client OS802(A) of user computer 302(1) via communication link 310(1) and withDRM-aware client OS 802(B) of user computer 302(2) via communicationlink 310(2). Server OS 806 interacts with non-DRM-aware client OS 802(A)and DRM-aware client OS 802(B) differently because of their differingDRM-aware statuses.

[0090] Specifically, DRM-controlled content is sent from server OS 806to DRM-aware client OS 802(B) unaltered so that it may handle theDRM-controlled content locally at user computer 302(2). For example,DRM-aware client OS 802(B) may appropriately handle DRM-controlledcontent using a DRM client 308 (of FIG. 3) and/or one or more DRM-awarefile system components 102.

[0091] However, with non-DRM-aware client OS 802(A), server OS 806 firsthandles any possible license acquisition and content decryption prior tosending the content to non-DRM-aware client OS 802(A) provided thatserver OS 806 is capable of enforcing the DRM controls. These controlsmay correspond to simple DRM content controls 110 (of FIG. 1). Byproviding decrypted DRM-controlled content to non-DRM-aware client OS802(A), server OS 806 enables legacy, non-DRM-aware client OS 802(A) toaccess/manipulate/use/etc. the DRM-controlled content.

[0092]FIG. 9 is a flow diagram 900 that illustrates an exemplary generalmethod for client/server OS interaction with DRM. Flow diagram 900includes four (4) blocks 902-908. Actions for these blocks 902-908 maybe performed, for example, by a server OS 806 (of FIG. 8) in conjunctionwith a non-DRM-aware client OS 802(A) and a DRM-aware client OS 802(B),along with their respective computers 804, 302(1), and 302(2).

[0093] At block 902, a server OS interrogates a client OS. For example,the server OS 806 may interrogate the non-DRM-aware client OS 802(A)and/or the DRM-aware client OS 802(B). At block 904, the server OSdetermines through the interrogation (and optionally a verification)whether the client OS is DRM-aware. For example, the server OS 806 maydetermine that the client OS 802(A) is not DRM-aware and that the clientOS 802(B) is DRM-aware. Alternatively, this determination may be aresult of an affirmative assertion by the DRM-aware client OS 802(B)(e.g., via a (verifiable) DRM-capable indicator sent from the DRM-awareclient OS 802(B) to the server OS 806).

[0094] If it is determined that the client OS is not DRM-aware (at block904), then requested content that is DRM-protected is returned to theclient OS in a decrypted form at block 906. For example, the server OS806 may return content with simple DRM controls in a decrypted form tothe non-DRM-aware client OS 802(A). If, on the other hand, it isdetermined that the client OS is DRM-aware (at block 904), thenrequested content that is DRM-protected is returned to the client OS inan unaltered or raw binary form at block 908. For example, the server OS806 may return DRM-controlled content in an unaltered form to theDRM-aware client OS 802(B).

[0095] Although systems, media, methods, approaches, processes, etc.have been described in language specific to structural and functionalfeatures and/or methods, it is to be understood that the inventiondefined in the appended claims is not necessarily limited to thespecific features or methods described. Rather, the specific featuresand methods are disclosed as exemplary forms of implementing the claimedinvention.

1. One or more electronically-accessible media comprisingelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform actions comprising: inspecting one ormore digital rights management (DRM) controls from a tag ofDRM-controlled content; determining that the one or more DRM controlsare simple DRM controls; and providing the DRM-controlled content in adecrypted form when the one or more DRM controls are determined to besimple DRM controls; wherein the actions of inspecting, determining, andproviding are performed, at least partly, by one or more file systemcomponents.
 2. The one or more electronically-accessible mediacomprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 1, wherein the simple DRM controls comprise read,write, and/or modify.
 3. The one or more electronically-accessible mediacomprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 1, wherein the one or more file system componentscomprise at least part of an operating system for a computer.
 4. The oneor more electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 1,wherein the one or more file system components comprise at least part ofat least one middleware component for a computer.
 5. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 1, wherein the actions ofinspecting, determining, and providing are performed responsive to anaction of receiving a request for the DRM-controlled content from aprogram.
 6. The one or more electronically-accessible media comprisingthe electronically-executable instructions that, when executed, directan electronic apparatus to perform the actions as recited in claim 5,wherein the action of providing comprises the action of providing theDRM-controlled content in the decrypted form to the program.
 7. A systemfor file operations and digital rights management (DRM), the systemcomprising: one or more processors; and one or more media in operativecommunication with the one or more processors, the one or more mediastoring one or more file system components that are adapted to executeon the one or more processors and that are configured to provide contenthaving DRM controls to a requesting program in either a raw form or adecrypted form in dependence on whether the DRM controls comprise simpleDRM content controls or complex DRM content controls.
 8. The system asrecited in claim 7, wherein the one or more file system components arefurther configured to provide the content having the complex DRM contentcontrols to the requesting program in the raw form.
 9. The system asrecited in claim 7, wherein the one or more file system components arefurther configured to provide the content having the simple DRM contentcontrols to the requesting program in the decrypted form.
 10. The systemas recited in claim 9, wherein the one or more file system componentsare further configured to enforce the simple DRM content controls forthe requesting program.
 11. The system as recited in claim 7, whereinthe simple DRM content controls comprise read, write, and/or modify; andwherein the complex DRM content controls comprise no forwarding, noprinting, allow read “X” times, allow play for “Y” days, and/or allowread with no modifying.
 12. A system for file system operations anddigital rights management (DRM), the system comprising: one or moreprocessors; and one or more media in operative communication with theone or more processors, the one or more media storing one or more filesystem components i that are adapted to execute on the one or moreprocessors and that are configured to: provide files with simple DRMcontent controls to requesting applications in a decrypted form; andprovide files with complex DRM content controls to requestingapplications in an unaltered form.
 13. The system as recited in claim12, wherein the one or more media further store the requestingapplications, the requesting applications comprising at least onenon-DRM-aware application and at least one DRM-aware application. 14.The system as recited in claim 13, wherein the at least one DRM-awareapplication is capable of causing the files with the complex DRM contentcontrols to be decrypted; and wherein the at least one non-DRM-awareapplication is incapable of causing the files with the complex DRMcontent controls to be decrypted.
 15. The system as recited in claim 12,wherein the one or more media further store a DRM client, the DRM clientcapable of communicating with a license server to verify access rightsto files with the simple DRM content controls and/or to files with thecomplex DRM content controls.
 16. The system as recited in claim 15,wherein the DRM client comprises part of the one or more file systemcomponents, or the one or more file system components are furtherconfigured to interact with the DRM client.
 17. The system as recited inclaim 12, wherein the system comprises a user computer and/or the one ormore file system components comprise at least part of an operatingsystem of the system.
 18. One or more electronically-accessible mediacomprising electronically-executable instructions that, when executed,direct an electronic apparatus to perform actions comprising:determining whether a requested file is protected; if the requested fileis protected, determining whether the requested file is protected withone or more simple digital rights management (DRM) controls; if so,decrypting the requested file and providing the decrypted requested fileto a requesting application; and if not, providing the requested fileunaltered to the requesting application.
 19. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 18, wherein theelectronically-executable instructions comprise at least one file systemcomponent of an operating system.
 20. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 18, wherein the action ofdetermining whether a requested file is protected comprises the actionof determining whether the requested file is protected with at least oneDRM content control.
 21. The one or more electronically-accessible mediacomprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 18, wherein the action of determining whether therequested file is protected with one or more simple DRM controlscomprises the action of determining whether the requested file isprotected with the one or more simple DRM controls and no complex DRMcontrols.
 22. The one or more electronically-accessible media as recitedin claim 18, wherein the electronically-executable instructions, whenexecuted, direct an electronic apparatus to perform a further actioncomprising: if the requested file is not protected, providing therequested file unaltered to the requesting application.
 23. The one ormore electronically-accessible media as recited in claim 18, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform, if the requested file is determined tobe protected with the one or more simple DRM controls and prior to theaction of decrypting, a further action comprising: verifying that acurrent user context possesses a license to access the requested file.24. The one or more electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 23,wherein the action of verifying is initiated by at least one DRM clientcomponent.
 25. The one or more electronically-accessible mediacomprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 23, wherein the current user context corresponds to atleast one of a human user and the requesting application.
 26. One ormore electronically-accessible media comprising at least one file systemcomponent that, when electronically-executed, directs an electronicapparatus to return content to requesting applications in a decryptedform if the content is protected by digital rights management (DRM)controls that the at least one file system component can enforce and toreturn content to requesting applications in an unaltered form if thecontent is protected by DRM controls that the at least one file systemcomponent cannot enforce.
 27. The one or more electronically-accessiblemedia comprising the at least one file system component as recited inclaim 26, wherein the at least one file system component comprises atleast part of a protected portion of an operating system.
 28. One ormore electronically-accessible media comprisingelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform actions comprising: examining arequested file for digital rights management (DRM) controls;ascertaining whether the requested file is associated with at least onecomplex DRM content control; if the requested file is not associatedwith at least one complex DRM content control, performing actionscomprising: calling on DRM functionality; determining whether a user hasaccess to the requested file using the DRM functionality; and if theuser is determined to have access to the requested file, decrypting therequested file; wherein at least the actions of examining, ascertaining,and calling are performed by one or more file system components.
 29. Theone or more electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 28,wherein the one or more file system components comprise at least oneencryption component of an operating system.
 30. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 28, wherein the user correspondsto at least one of a human user and an application.
 31. The one or moreelectronically-accessible media as recited in claim 28, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform a further action comprising: if the useris determined to have access to the requested file, providing thedecrypted requested file to a requesting application responsive to acreate file or an open file operation.
 32. The one or moreelectronically-accessible media as recited in claim 28, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform, if the user is determined to haveaccess to the requested file and prior to the action of decrypting, afurther action comprising: retrieving a license corresponding to acurrent user context from a DRM license server.
 33. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited -in claim 32, wherein the action ofretrieving comprises the action of: checking a group for membership orother authorization data with respect to the current user context. 34.The one or more electronically-accessible media as recited in claim 28,wherein the electronically-executable instructions, when executed,direct an electronic apparatus to perform a further action comprising:if the user is not determined to have access to the requested file,logging a failed access attempt in an application or security log. 35.The one or more electronically-accessible media as recited in claim 28,wherein the electronically-executable instructions, when executed,direct an electronic apparatus to perform further actions comprising: ifthe requested file is associated with at least one complex DRM contentcontrol, performing actions comprising: attempting to validate arequesting application from a DRM perspective; and if the requestingapplication fails to be validated, denying access to the requestingapplication to the requested file.
 36. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 35, wherein the requestingapplication comprises a DRM-aware application.
 37. The one or moreelectronically-accessible media as recited in claim 28, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform further actions comprising: if therequested file is associated with at least one complex DRM contentcontrol, performing actions comprising: attempting to validate arequesting application from a DRM perspective; and if the requestingapplication is successfully validated, providing the requested file inan unaltered form to the requesting application.
 38. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 28, wherein the one or moreelectronically-accessible media comprise at least oneelectronically-accessible storage media and/or at least oneelectronically-accessible transmission media.
 39. One or moreelectronically-accessible media comprising electronically-executableinstructions that, when executed, direct an electronic apparatus toperform actions comprising: ascertaining whether a requested file has adigital rights management (DRM) attribute associated therewith; if therequested file does have a DRM attribute associated therewith,performing actions comprising: calling on DRM functionality; determiningwhether a user has saving/modifying access rights to the requested fileusing the DRM functionality; and if the user is determined to havesaving/modifying access rights to the requested file, encrypting therequested file; wherein at least the actions of ascertaining and callingare performed by one or more file system components.
 40. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 39, wherein the DRMfunctionality comprises at least part of a DRM client.
 41. The one ormore electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 39,wherein the user corresponds to at least one of a human user and anapplication.
 42. The one or more electronically-accessible mediacomprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 39, wherein the requested file has been requested by anapplication based on at least one of a create operation and asave/modify operation.
 43. The one or more electronically-accessiblemedia as recited in claim 39, wherein the electronically-executableinstructions, when executed, direct an electronic apparatus to perform,if the user is determined to have saving/modifying access rights to therequested file, further actions comprising: retrieving a licensecorresponding to the user from a DRM authorization provider; and usingthe license to protect the requested file.
 44. The one or moreelectronically-accessible media as recited in claim 39, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform a further action comprising: if the useris determined to have saving/modifying access rights to the requestedfile, returning at least the content of the requested file to arequesting application.
 45. The one or more electronically-accessiblemedia as recited in claim 39, wherein the electronically-executableinstructions, when executed, direct an electronic apparatus to perform afurther action comprising: if the user is not determined to havesaving/modifying access rights to the requested file, logging a failedaccess attempt on the requested file in an application or security log.46. One or more electronically-accessible media comprisingelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform actions comprising: receiving a requestfrom a client operating system for a file that is protected by one ormore digital rights management (DRM) controls; determining whether theclient operating system is adapted to handle content that is protectedby the one or more DRM controls; and if not, returning the file to theclient operating system in a decrypted form.
 47. The one or moreelectronically-accessible media as recited in claim 46, wherein theelectronically-executable instructions, when executed, direct anelectronic apparatus to perform a further action comprising: if so,returning the file to the client operating system in an unaltered form.48. The one or more electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 46,wherein the action of receiving comprises the action of: receiving therequest through an application programming interface ( )(API ( )) fromthe client operating system.
 49. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 46, wherein the action ofdetermining comprises the action of: interrogating and verifying theclient operating system to determine whether the client operating systemis adapted to handle content that is protected by the one or more DRMcontrols.
 50. The one or more electronically-accessible media comprisingthe electronically-executable instructions that, when executed, directan electronic apparatus to perform the actions as recited in claim 46,wherein the action of determining comprises the action of: receiving averifiable DRM-capable indicator from the client operating system todetermine that the client operating system is adapted to handle contentthat is protected by the one or more DRM controls.
 51. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 46, wherein theelectronically-executable instructions comprise at least part of aserver operating system.
 52. A system for file operations and digitalrights management (DRM), the system comprising: one or more processors;and one or more media in operative communication with the one or moreprocessors, the one or more media storing electronically-executableinstructions that, when executed by the one or more processors, causethe system to interact with a non-DRM-aware client operating system on aremote computer such that DRM-controlled content is provided thereto ina decrypted form when DRM content controls on the DRM-controlled contentare not complex DRM content controls.
 53. The system as recited in claim52, wherein the electronically-executable instructions, when executed bythe one or more processors, further cause the system to interact with aDRM-aware client operating system on a different remote computer suchthat DRM-controlled content is provided thereto in an encrypted,unaltered form.
 54. The system as recited in claim 52, wherein thesystem comprises a server computer.
 55. The system as recited in claim52, wherein the electronically-executable instructions comprise at leastpart of a server operating system.
 56. The system as recited in claim52, wherein the electronically-executable instructions enable the systemto enforce simple DRM content controls for the non-DRM-aware clientoperating system.
 57. One or more electronically-accessible mediacomprising an operating system that includes instructions that arecapable of being executed on an electronic apparatus, the operatingsystem comprising: a file encryption component that is configured tointeract with a digital rights management (DRM) client so that the fileencryption component can decrypt content having simple DRM contentcontrols but no complex DRM content controls.
 58. The one or moreelectronically-accessible media comprising the operating system asrecited in claim 57, wherein the simple DRM content controls compriseDRM content controls that are enforceable by one or more file systemcomponents of the operating system, the one or more file systemcomponents including the file encryption component.
 59. The one or moreelectronically-accessible media comprising the operating system asrecited in claim 57, wherein the simple DRM content controls compriseread, write, and/or modify controls.
 60. An arrangement for file systemoperation with digital rights management (DRM), the arrangementcomprising: determining means for determining whether a requested filethat is associated with DRM content controls is protected with one ormore complex DRM content controls; and decrypting means for decryptingthe requested file if the determining means determines that therequested file is not protected with one or more complex DRM contentcontrols.
 61. The arrangement as recited in claim 60, furthercomprising: providing means for providing the requested file indecrypted form to a requesting application if the determining meansdetermines that the requested file is not protected with one or morecomplex DRM content controls and for providing the requested file inunaltered form to the requesting application if the determining meansdetermines that the requested file is protected with one or more complexDRM content controls.
 62. The arrangement as recited in claim 60,wherein the arrangement comprises at least one of (i) one or moreelectronically-accessible media and (ii) one or more computers.
 63. Anarrangement for file system operation with digital rights management(DRM), the arrangement comprising: DRM means for implementing DRMfunctionality; and file handling means for handling file requests fromapplications, the file handling-means adapted to interact with the DRMmeans so as to cause a subset of DRM-protected files to be decrypted forthe applications.
 64. The arrangement as recited in claim 63, whereinthe DRM means comprises DRM client means for implementing DRM clientfunctionality, the DRM client means (i) adapted to interact with alicensing authorization provider and (ii) capable of decrypting files.65. The arrangement as recited in claim 63, wherein the subset ofDRM-protected files comprises DRM-protected files that are protectedwith DRM content controls that are not complex.
 66. A system for fileoperations and digital rights management (DRM), the system comprising: afirst application that is capable of requesting one or more files thatare protected by at least one DRM content control; a second applicationthat is also capable of requesting the one or more files that areprotected by at least one DRM content control; and one or more filesystem components that are capable of responding to requests from thefirst and second applications for the one or more files, the one or morefile system components adapted to interact with DRM functionality tocause files of the one or more files with no complex DRM contentcontrols to be decrypted and to provide the decrypted files to the firstand second applications, the one or more file system componentsconfigured to create an identity-context-based cache of DRM-protectedfiles so that a file that has been decrypted on behalf of and providedto the first application may be provided to the second applicationwithout additional interaction with the DRM functionality on behalf ofthe second application if the first and second applications eachcorrespond to a joint user context.
 67. One or moreelectronically-accessible media comprising electronically-executableinstructions that, when executed, direct an electronic apparatus toperform actions comprising: providing content with digital rightsmanagement (DRM) content controls to requesting applications in adecrypted form when the DRM content controls only comprise one or moreof reading, writing, and/or modifying controls; and providing contentwith DRM content controls to requesting applications in an unalteredform when the DRM content controls include at least one control thatdoes not comprise a reading, a writing, and/or a modifying control. 68.The one or more electronically-accessible media comprising theelectronically-executable instructions that, when executed, direct anelectronic apparatus to perform the actions as recited in claim 67,wherein the electronically-executable instructions comprise at leastpart of a file system.
 69. The one or more electronically-accessiblemedia comprising the electronically-executable instructions that, whenexecuted, direct an electronic apparatus to perform the actions asrecited in claim 67, wherein the electronically-executable instructionscomprise at least part of a middleware component.
 70. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 67, wherein the action ofproviding content with DRM content controls to requesting applicationsin an unaltered form comprises the action of: providing the content withDRM content controls to the requesting applications in the unalteredform only after the requesting applications have been verified astrusted and DRM-aware.
 71. One or more electronically-accessible mediacomprising electronically-executable instructions that, when executed,direct an electronic apparatus to perform actions comprising: inspectingone or more digital rights management (DRM) controls from a tag ofDRM-controlled content; determining whether the one or more DRM controlsare simple DRM controls or complex DRM controls; if the one or more DRMcontrols are determined to be simple DRM controls, providing theDRM-controlled content in a decrypted form; and if the one or more DRMcontrols are determined to be complex DRM controls, providing theDRM-controlled content in an unaltered form.
 72. The one or moreelectronically-accessible media comprising the electronically-executableinstructions that, when executed, direct an electronic apparatus toperform the actions as recited in claim 71, wherein theelectronically-executable instructions comprise at least one of (i) atleast part of a file system and (ii) at least part of a middlewarecomponent.